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The present invention relates to a cryptographic 
key management apparatus and method. 

As known in the prior art, the secure interchange 
of data between entities that make up a distributed 
system, for example domain members of a communi- 5 
cations domain, requires the use of cryptography. 
Cryptography requires the distribution and use of 
cryptographic keys. Conventional key management 
involves providing respective pairs of domain mem- 
bers with a private key, i.e. a key which is shared be- 10 
tween, and only known and used by, the pair of do- 
main members, for communication between the pair 
of domain members in either direction. As such, the 
same key is used for encrypting and decrypting a 
message during communication between two domain 15 
members. Thus, it is essential to the security of the 
domain to keep these keys secret and known only by 
the intended users. This creates problems for key dis- 
tribution. 

Public key cryptography is also known in which 20 
two different but related cryptographic keys are pro- 
vided and the key belonging to one of the pair of do- 
main members is a public key which need not be kept 
secret. As such, the public key can be distributed 
throughout the domain without concern for its secur- 25 
ity and so the key distribution problem experienced 
with private keys does notarise. However, one pair of 
keys allows for communication in one direction only 
and so two further keys are necessary to implement 
two-way communication between two domain mem- 30 
bers. 

Conventional key management that involves the 
use of private keys, is disadvantageous in that a large 
number of secure keys are required for such symmet- 
rical key usage. The number of secure keys required 35 
is the square of the number of members in a particular 
domain, and this also renders the management and 
secure distribution of the keys particularly problemat- 
ic. 

Known public, or asymmetrical, key manage- 40 
ment, is also disadvantageous in that it is relatively 
expensive to implement and computation intensive 
and so relatively slow in use. 

It is known from US patents 4 941 176, 4 924 515 
and 4 924 514 to control the use of cryptographic keys 45 
by means of control information associated with the 
cryptographic key information. However, the above- 
mentioned disadvantages are also found in such 
known systems. 

It is an object of the present invention to provide 50 
cryptographic key management apparatus which 
does not suffer the above mentioned disadvantages 
and therefore provides for simple key distribution and 
also a relatively high speed of operation. 

According to one aspect of the present invention 55 
there is provided cryptographic key management ap- 
paratus having a plurality of key means for a plurality 
of members of a communications domain, each key 



means comprising a cryptographic key value and 
control information specifying key usage, character- 
ized in that said plurality of key means comprises a 
plurality of domain vector keys each paired with a 
member vector key, each pair of vector keys sharing 
the same cryptographic key value and the domain 
vector keys being specified as public keys for data en- 
cryption and data seal verification and the member 
vector keys being specified as private keys for data 
decryption and data seal generation, wherein said 
plurality of domain vector keys are located in store 
means accessible to said plurality of domain mem- 
bers and each domain member is associated with at 
least one of said pairs, and in that a plurality of master 
keys are provided to protect the plurality of vector 
keys. 

Such apparatus is advantageous in that a vector 
key, which is a combination of a key value and control 
information controlling the use of the key, can be 
paired with another vector key sharing the same key 
value but different control information, such that char- 
acteristics of asymmetrical key usage can be im- 
pressed, by use of the control information of the vec- 
tor key, onto symmetrical keys. Thus, key manage- 
ment is provided which combines the simple key dis- 
tribution characteristic exhibited by asymmetrical or 
public key algorithms with the relatively high speed of 
operation which is a characteristic of symmetrical key 
algorithms. As such, a domain member advanta- 
geously requires only one vector key to secure mes- 
sages it transmits, and only one vector key to secure 
messages it receives. Thus, the total number of keys 
required is restricted to only twice the number of en- 
tities or domain members. However, as mentioned 
above, the vector keys of each pair share the same 
cryptographic key value and so a high-speed sym- 
metrical type operation can also be achieved. 

Vector key management, as provided by the ap- 
paratus of the present invention, also advantageously 
allows for the storage of cryptographic keys in net- 
work directories from which they can be easily re- 
trieved when required. Also vector key management 
is compatible with the emerging international stan- 
dards for open system directories, for example the 
CCITT X.500 directory. 

Further advantages arise in that vector key man- 
agement provides a simplified and open-ended ap- 
proach to cryptographic key distribution in that the 
present invention is compatible with other known 
means of key management and distribution. Also, a 
vector key is particularly suited to recent advances in 
the design of secure semiconductor devices that can 
store cryptographic keys. This further facilitates the 
use of symmetrical cryptographic keys as if they were 
asymmetrical. 

The apparatus of the present invention therefore 
provides for secure one-way communication chan- 
nels between the members of a communications do- 
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main or entities of a distributed system. From these 
communications channels, a variety of secure inter- 
action paths and patterns can be established that 
support a wide range of applications including simple 
data communications security and also transaction 
security. 

According to another aspect of the present inven- 
tion there is provided a method of managing cryptog- 
rahpic keys having a key value and control informa- 
tion for specifying the use of the keys by members of 
a communications domain, characterized by arrang- 
ing the cryptographic keys as public and private key 
pairs which share the same key value, associating at 
least one pair with each domain member, specifying 
each public key for data encryption and data seal ver- 
ification and each private key for data decryption and 
data seal generation, locating the cryptographic keys 
in store means accessible to all domain members and 
by providing master keys to protect the cryptographic 
K©vs 

The invention is described further hereinafter, by 
way of example only, with reference to the accompa- 
nying drawings in which: 

Fig. 1 is a block diagram of part of a cryptographic 

key management apparatus embodying the pres- 
ent invention; and 

Fig. 2 is a schematic representation of apparatus 
embodying the present invention. 
The invention employs known cryptographic key 
management concepts such as symmetrical encryp- 
tion and decryption of information and message au- 
thentication using the Data Encryption Standard 
(DES) algorithm and also public key or asymmetncal 
cryptography. The invention may also advantageous- 
ly employ a directory as a means of storing and shar- 
ing information throughout a communication domain. 

The invention differs from known cryptographic 
key management functions in that the working keys 
i e those which control the encryption/decryption of 
data, comprise vector keys, which comprise a key val- 
ue and control information, and which are employed 
as controlled keys providing for one way, or asymmet- 
rical, message encryption or message sealing. 

In its operation, vector key management is do- 
main orientated in that the entities or systems, i.e. do- 
main members, that make up the domain, share cer- 
tain keys and also a store means, or directory, from 
which the keys can be retrieved as required. Vector 
key management involves the use of two different 
types of working key in addition to master keys, which 
serve to protect the working keys. These different 
working keys comprise domain vector keys and mem- 
ber vector keys. The domain vector key is designated 
a public key and, as such, each of the domain mem- 
bers has access to each domain vector key. The 
member vector key is designated as a private key in 
that each member vector key is available to, and 
known by, only the domain member with which it is as- 



sociated. The domain vector keys and member vector 
keys are also further def ined by their respective con- 
trol information such that the domain vector keys. le. 
6 the public keys, control only message encryption and 
message seal verification and the member vector 
keys, ie. the private keys, control only message de- 
cryption and message sealing. 

The provision of the above mentioned domain 
10 vector keys and member vector keys form part of the 
operational criteria to be met by apparatus according 
to a preferred embodiment of the invention. Accord- 
ingly, all members of a secure communications do- 
main should be able to encrypt a message but only 
is the intended recipient should be able to decrypt such 
a message. Likewise all members of a secure com- 
munications domain should be able to verify the seal 
of a message but only one identifiable member should 
be able to generate a particular seal on a given mes- 
20 sage. Thus, the domain vector keys, which are em- 
ployed for message encryption and seal verification, 
are provided as public keys and the member vector 
keys, which are employed for message decryption 
and seal generation, are provided as private keys. 
25 The above requirements can be met by the ap- 

propriate distribution of the cryptographic keys. The 
distribution of keys is greatly facilitated by the use of 
asymmetrical crypto algorithms which allow the shar- 
ing of public keys between domain members and fur- 
30 ther advantages arise from the present invention in 
that relatively simple and fast symmetrical crypto al- 
gorithms are used in an asymmetrical manner. The 
sharing of working keys is greatly facilitated by the 
sharing of master keys, or key encryption keys. Ad- 
as vantageously, the invention provides a domain mas- 
ter key which is shared by all domain members, and 
which is used to protect the domain vector keys, and 
also a plurality of member master keys, each one of 
which is unique to a respective domain member, and 
40 is arranged to protect the respective member vector 
key of each domain member. 

Since domain vector keys are working keys that 
can be used for encryption or seal verification by any 
member of a domain, they must be protected in such 
45 a way that they are accessible only to the members 
of that domain. This protection is provided by encrypt- 
ing the domain key value with a domain master key. 
This encryption is performed within the crypto proc- 
essor and is not accessible from outside it. Whenever 
so a domain vector key is created it is encrypted under 
the domain master key before being stored in the di- 
rectory or otherwise made public. The domain vector 
key thereby encrypted appears as a "key value" in the 
vector key. The domain master key may be a single 
55 or a double length key since this makes no difference 
in principle, but does make cryptographic attack on a 
domain master key, or on a domain vector key, im- 
practical. 

All the domain members have the domain master 
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key in their crypto-processor and therefore they can 
make use of vector keys that are encrypted by it 
These members are also the only ones that can cre- 
ate domain vector keys. 

Alternatively, since member vector keys are 
working keys that can be used for decryption or seal- 
ing only by the member of a domain that created that 
key they must be protected in such a way that they 
are accessible only to the member of the domain that 
created them. Also, since a member may have many 
of these vector keys, they may be stored outside se- 
cure cryptographic devices. The required protection 
is provided by encrypting the member key value with 
the member master key. This encryption is per- 
formed within the crypto processor and is not acces- 
sible from outside it Whenever a member vector key 
is created it is encrypted under the member master 
key before being stored on disc or put in a directory 
or otherwise made public. The member vector key 
thereby encrypted appears as a "key value" in the 
vector key. The member master key may be a single 
or a double length key since this makes no difference 
in pnnciple, but it does make cryptographic attack on 
a member master key, or on a member vector key im- 
practical. 

All the domain members have their own member 
master key in their crypto-processor and therefore 
they can make use of vector keys that are encrypted 
by it They are also the only members that can create 
the respective member vector keys. 

Further security is provided by the present inven- 
tion in that the use of the master keys is restricted to 
particular predetermined trusted devices which con- 
tain built-in key management functions and which will 
not misuse either the master keys or the working 
keys. The provision of devices that will not prejudice 
the security of the communications domain allows for 
the sharing of master keys without further compro- 
mising security of the domain. 

As such, the present invention provides for se- 
cure key distribution based on the use of the above- 
mentioned trusted devices that can employ symmet- 
rical keys as if they were asymmetrical. 

The preferred embodiment of the present inven- 
tion relies particularly on the vector key and the vec- 
tor key processor. The vector key is a combination of 
encryption key material and key control information 
that determines whether a key can be used as a pub- 
lic key or as a private key. The vector key processor 
is arranged in each member to hold the master keys 
and also load the vector keys into a cryptograhic proc- 
essor in which the encryption/decryption and sealing- 
/seal verification of the message is carried out The 
key material and control information is advantageous- 
ly provided as a single data structure. 

As illustrated in Fig. 1, a vector key processor 11 
and a cryptographic processor 13, belonging to each 
domain member, can be provided on a single semi- 



conductor device 15 which can beaccessed by an ap- 
plication program. 

The two types of vector keys provided, namely 
s the domain vector key and member vector key are 
both according to a preferred embodiment of the in- 
vention, stored in a directory that is accessible to all 
entities or members of a communications domain 
Each domain vector key is paired with a member vec- 
10 tor key and each domain member is associated with 
at least one such pair. The two vector keys of each 
pair contain the same cryptographic key material 
while the vector control information, and the particu- 
lar master key used to secure the vector key deter- 
15 mine which of the vector keys of each pair is used as 
a public or private key. The control information of 
each key specifies the key as either a public key or 
a private key. In the present invention, the domain 
vector keys are specified for use in encryption and 
20 seal verification of a message and member vector 
keys are specified for use only for decryption and seal 
generation. All domain members should be able to en- 
crypt a message and verify the seal on a message so 
that the domain vector keys are specified as public 
25 keys and are accessible to all domain members. How- 
ever, only the intended recipient of a message should 
be able to decrypt the message and also generate a 
seal for a message, and so the member vector keys 
are specified as private keys and are accessible only 
30 be the domain member to which they belong or with 
which they are associated. 

The vector key pairs, when stored in the directory 
may be sealed by the member master keys so as to 
provide protection against vector substitution. 
35 Also, operations between different communica- 
tion domains can be supported by way of key trans- 
lation facilities that translate vector keys between the 
domain master keys of the domains. 

The vector key of the preferred embodiment of 
40 this invention comprises the following: a vector syn- 
tax identifier; a domain name identif ier; a vector name 
identifier; a vector type identifier, i.e. indicating 
whether a key is a domain vector key or member vec- 
tor key; a key purpose identifier, ie. whether the key 
45 is specified for data encryption/decryption or seal 
generation/verification; a master key identifier; a key 
size identifier; a key value; and a seal. 

/MA The S6al ' S a Messa 9e Authentication Code 
(MAC) computed according to ANSI X9.19 binary op- 
so tion. The invention allows for the loading of vector 
keys into the directory by the domain members as re- 
quired. A further level of protection may be provided 
by loading the vector keys as attributes into X.509 
certificates. The certification means that creates 
55 these certificates adds its own public key signature to 
the certificate thus making it impossible for domain 
members to register themselves. Such a level of se- 
cunty control may be particularly advantageously 
employed in networks which are shared by multiple 
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secure communication domains. 

As mentioned above, vector key processing is ad- 
vantageously supported by way of a vector key proc- 
essor. Such processors are arranged to hold the mas- 
ter keys of the domain members, to use the working 
keys only as indicated by the key control information 
and to load the working keys into a cryptographic 
processor for message encryption/decryption or seal 
generation/verification as required. 

A set of typical operations of a vector key man- 
agement apparatus is outlined below, which set is ar- 
ranged to replace the conventional key management 
operations of known cryptographic hardware and 
software. It should be noted that vector key manage- 
ment can be employed as a basis for setting up con- 
ventional session keys for communication between 
two network nodes. As such, a first node generates 
a session key, seals it under its sealing key and en- 
crypts it under the encryption key of the second node. 
A particularly advantageous implementation of vector 
key management involves the combination of stan- 
dard cryptographic operations that support system 
functions and applications with vector key manage- 
ment operations in a single secure device such as an 
appropriately designed semiconductor device. Of 
course, other implementations are possible and ap- 
propriate dependent upon factors such as cost and 
the level of security required. 

The typical set of operations to be supported 

are:- 

Encryption 
Decryption 
Seal generation 
Seal verification 
Encryption and Seal generation 
Decryption and Seal verification 
Typical vector key management operations in- 
clude:- 

Loading of vector key into processor 
Retrieval of vector key from processor 
Retrieval of key material 
Creation of vector key 
Typical session key management operations: 
Generate a working key 
Verify and load the working key 
The invention is now further described with ref- 
erence to particular operations between two mem- 
bers A, B of a Security domain X and which involve 
vector keys identified by the expression Vd-n-t-p. 
Where: 

d-identif ies the domain in which the communi- 
cation occurs. 

n-identifies the domain member associated 

with, or owner of, the key. 

t-identifies the type of vector key (i.e. whether 
domain or member). 

p-identifies the intended use of purpose of the 
key (i.e. encrypt/decrypt or seal generation/verifica- 



tion). 

Referring to Fig. 2, the operation of the apparatus 
embodying the present invention is first outlined in 
5 which, within a domain 10, a domain member A 12 
sends a sealed message S(M) 16 to a domain mem- 
ber B 14. 

The domain member 12 first reads the key 
VXAMS 20 from the directory 18 in which the key is 
10 held. As indicated, this member vector belongs to the 
key domain member 12 is arranged for seal genera- 
tion. The member 12 then feeds this key VXAMS 20 
into its vector key processor 1 1 which verifies the vec- 
tor key VXAMS 20 and loads it into a cryptographic 
is processor 13 (see Fig. 1). The member 12 inserts the 
name of the key VXAMS 20 into the message M to be 
sealed and passes the message M to the crypto- 
graphic processor 13 for sealing. The sealed mes- 
sage S(M) 16 obtained is then sent to the domain 
20 member 14. On receipt of the sealed message S(M), 
the member 14 reads the vector key name. The mem- 
ber 14 then obtains the key VXADV 22 from the di- 
rectory 1 8. As indicated, this key VXADV 22 is the do- 
main vector key associated with the domain member 
25 12, and which is paired with the member vector key 
VXAMS 20 belonging to the member 1 2 for verifying 
the seal provided by VXAMS 20. Also as indicated, 
VXADV 22 is a domain vector key, i.e. a public key 
and although it is identified as belonging to member 
30 12, being a public key it is accessible to all domain 
members and so can be retrieved from the directory, 
and used, by the member 14. Having obtained 
VXADV 22, the member 14 feeds this key into its vec- 
tor key processor which verifies the vector and loads 
35 the key VXADV 22 into its cryptographic processor. 
The member 14 then passes the sealed message 
S(M) 16 it received from member 12 to its crypto- 
graphic processor which verifies the seal using 
VXADV 22 already loaded therein and passes the re- 
40 suit of the verification back to member 14. 

The following operation involves the domain 
member A 12 sending an encrypted message E(M) 
(24) to the domain member B 14. 

Member 1 2 reads the key VXBDE 26 from the di- 
45 rectory 1 8. As indicated, this key 26 belongs to, or is 
associated with, the domain member 14 but being a 
domain vector key i.e. a public key, it is accessible to 
all other domain members. The member 12 then 
feeds the key VXBDE 26 into its vector key processor 
so 11 which verifies the vector key and loads it into its 
cryptographic processor 1 3. The member 12 appends 
the name of key VXBDE to the message M to be en- 
crypted and passes message M to its cryptographic 
processor for encryption. It should be noted that the 
55 vector name is not encrypted. The message E(M) 24 
is then sent to the domain member 14. The member 
14 receives the message and reads the vector key 
name. The member 14 then obtains the key VXBMD 
from the directory. This key, as indicated is a private 
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key, accessible only to the member 14 and which is 
paired with the key VXBDE 24 previously employed 
by the member 12 in encrypting the message to be 
sent to the member 14. The key VXBMD 28 is fed into 5 
the vector key processor belonging to the member B 
wherein its vector is verified before it is loaded by the 
vector key processor into the cryptographic proces- 
sor. The member 14 then passes the encrypted part 
of the message E(M) 24 to the cryptographic proces- 10 
sor where it is decrypted and the result passed to the 
member 14. 

The following operation involves the secure com- 
munication between a member A in domain X and a 
member C in domain Z, in which A sends a sealed 15 Claims 
message to C. 

A reads its own member vector key VXAMS from 
the directory. This key VXAMS is then fed into As 
vector key processor wherein it is verified and then 
loaded into A's cryptographic processor. 2 q 

A inserts the name of the key VXAMS into the 
message and passes the message to the crypto- 
graphic processor for sealing. A then sends the 
sealed message S(M) to C. On receipt of S(M), C 
reads the vector name and obtains the key VXADV, 25 
i.e. the public key which is paired with the key VXAMS 
used for sealing the message. Having obtained 
VXADV, C passes this key to its domain translation fa- 
cility which translates the key from the domain X key 
space to the domain Z key space. C then receives 30 
VZADV in return. C feeds VZADV into its vector key 
processor wherein the key identity is verified and the 
key is subsequently loaded into C's cryptograhpic 
processor. C then passes the sealed message S(M) 
to its cryptographic processor which verifies the seal 35 
by way of key VZADV previously loaded therein. The 
result of the verification is passed back to C. 

In this latter operation involving communication 2. 
between domain members in different domains, C de- 
stroys the vector key VZADV once used since A may 40 
at any time change the VXAMS/VXADV vector key 
pair. Senders of encrypted messages, and receivers 
of sealed messages, mustalways use the vectorkeys 3. 
from the directory. 

The vector key management apparatus of the 45 
present invention provides for a simple and open- 
ended cryptographic key distribution. Also, the inven- 
tion does not carry out operations that are specific 
only to vector keys and so interaction with other key 4. 
distribution systems, for example conventional sys- so 
terns, is possible. Thus the vector key management 
means is able to deliver keys generated according to 
the rules set by any other key management system 
to any member of a secure communication domain. 5. 
The mapping and gateway functions between appa- 55 
ratus of the present invention and other key manage- 
ment systems can be provided in a single device or 
domain member, or alternatively can be distributed 
between many members of a domain. 



A known key management apparatus is defined 
according to ANSI Standard X9.17 (ISO 8732) and 
which requires the use of counters to control the use 
of keys. The generation of X9.17 key values may be 
carried out by the gateway or by an X9.1 7 conformant 
system. In either case, the gateway provides for 
counter management New keys are re-defined in 
vector key format and stored in a directory. The do- 
main members retrieve the keys from the directory to 
interchange secure messages with systems using 
X9. 1 7 key management. 



Cryptographic key management apparatus hav- 
ing a plurality of key means for a plurality of mem- 
bers of a communications domain, each key 
means comprising a cryptographic key value and 
control information specifying key usage, charac- 
terized in that said plurality of key means com- 
prises a plurality of domain vector keys each 
paired with a member vector key, each pair of 
vector keys sharing the same cryptographic key 
value and the domain vectorkeys being specified 
as public keys for data encryption and data seal 
verification and the member vector keys being 
specified as private keys for data decryption and 
data seal generation, wherein said plurality of do- 
main vector keys are located in store means ac- 
cessible to said plurality of domain members and 
each domain member is associated with at least 
one of said pairs, and in that a plurality of master 
keys are provided to protect the plurality of vector 
keys. 

Apparatus according to claim 1, characterized by 
vector key processor means for receiving said 
master keys and for controlling said data encryp- 
tion and data decryption. 

Apparatus according to claim 2, characterized in 
t hat said vector key processor means is arranged 
to load said domain vector keys and member vec- 
tor keys into a cryptographic processor in which 
said encryption and decryption is performed. 

Apparatus according to claim 3, characterized in 
that said vector key processor means and said 
cryptographic processor are provided on a single 
integrated circuit 
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Apparatus according to any one of the preceding 
claims, characterized in that said communication 
domain is arranged to delimit the scope of use of 
said vector keys. 

Apparatus according to any one of the preceding 
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claims, characterized in that said master keys 
comprise a domain master key shared by said do- 
main members to protect said domain vector keys 
and a plurality of member master keys each of 
which is unique to a respective domain member 
to protect the respective member vector key of 
each domain member. 

7. Apparatus according to any one of the preceding 
claims, characterized in that said cryptographic 
key value and said control information of each 
vector key is arranged as a single data structure. 

8. Amethod of managing cryptograh pic keys having 
a key value and control information for specifying 
the use of the keys by members of a communi- 
cations domain, characterized by arranging the 
cryptographic keys as public and private key 
pairs which share the same key value, associat- 
ing at least one pair with each domain member, 
specifying each pubic key for data encryption and 
data seal verification and each private key for 
data decryption and data seal generation, locat- 
ing the cryptographic keys in store means acces- 
sible to all domain members and by providing 
master keys to protect the cryptographic keys. 

9. A method according to claim 8, characterized in 
that message encryption and decryption is car- 
ried out in a cryptographic processor into which 
the cryptographic keys are loaded from a vector 
key processor. 

10. Amethod according to claim 8 or 9, characterized 35 
in that said communications domain delimits the 
scope of use of the cryptographic keys. 



10 



15 



20 



25 



30 



40 



45 



50 



55 



BNSDOCID <EP 0576224A2_I_> 



EP 0 576 224 A2 



FIG. 7 



APPLICATION 
PROGRAM 



VECTOR KEY 
PROCESSOR 



"1 
I 

I 



--11 



, 1 



r *- 1 



-15 



CRYPTOGRAPHIC 
PROCESSOR 



'^13 



8 



BNSDOCIO: <EP 0576224 A2_l_> 



EP 0 576 224 A2 




9 



BNSDOCID <EP 0576224A2J_> 



THIS PAGE BLANK (USPTO) 



